The 5.7 branch of Magnolia reached End-of-Life on December 31, 2023, as specified in our End-of-life policy. This means the 5.7 branch is no longer maintained or supported. Please upgrade to the latest Magnolia release. By upgrading, you will get the latest release of Magnolia featuring significant improvements to the author and developer experience. For a successful upgrade, please consult our Magnolia 6.2 documentation. If you need help, please contact info@magnolia-cms.com.
Publishing or activation of content from author to public instances is authenticated using public-key cryptography. Public-key cryptography is a system that requires two separate keys: a public key to lock or encrypt the plain text request and a private key to unlock or decrypt the cyphertext request. Neither key can do both and neither is derivable from knowledge of the other. One is published and the other is kept private.
On receiving a publishing/activation request, a Magnolia public instance authenticates the author instance using a public key. The author instance generates the key automatically on first publishing/activation of content and transfers it to the public instance. You can generate new public keys any time on the author instance. A single public key is used for multiple public instances.
Configuration
The authentication mechanism requires no configuration. The public key is generated automatically on the first activation of content and transferred to the public instance. The configuration of activation is stored in the server :
Configuration with the Publishing module in use:
Node name | Value |
|---|---|
| info.magnolia.publishing.manager.ActivationManagerAdapter | |
| 30819F300D06092A864886F70D01010105000381... |
Configuration with the Activation module in use:
Node name | Value |
|---|---|
| info.magnolia.module.activation.DefaultActivationManager | |
| 30819F300D06092A864886F70D01010105000381... |
The key pair is also stored on the local file system. If you use the default Magnolia bundle, the location is configured in a magnolia.properties file.
# Location of the file containing both the private and the public keys used to verify authenticity of activation requests
# This file is generated if not present
magnolia.author.key.location=${magnolia.home}/WEB-INF/config/default/magnolia-activation-keypair.properties
Generating a new public key
You can create a new public key in the Publishing Tools app (shown in the screenshot below) or the older Activation Tools app, depending on which module you are using. Key lengths from 512 to 1024 bits are possible.
To generate a new public key:
- On the author instance, open the app in the TOOLS group:
- Click Generate new key. This generates a new public key and registers it automatically on the author instance.
- Copy the new key from the Current public key box.
- Sign into the public instances and open the Configuration app.
- Paste they key to Configuration >
/server/activation/publicKey.
Copy the newly generated public key to all public instances. It is not transferred automatically on activation as is the case with the initial key. You cannot activate thepublicKeynode to the public instance as at this point because a mismatch exists between the keys on author and public.
Troubleshooting
Any type of misconfiguration related either to the keys themselves or the handshaking process between the author and the public instance(s) may lead to activation errors.
Example:
SEVERE: Servlet.service() for servlet [default] in context with path [/magnoliaPublic] threw exception org.bouncycastle.crypto.DataLengthException: input too large for RSA cipher. at org.bouncycastle.crypto.engines.RSACoreEngine.convertInput(Unknown Source) at org.bouncycastle.crypto.engines.RSABlindedEngine.processBlock(Unknown Source) at org.bouncycastle.jcajce.provider.asymmetric.rsa.CipherSpi.getOutput(Unknown Source) at org.bouncycastle.jcajce.provider.asymmetric.rsa.CipherSpi.engineDoFinal(Unknown Source) at javax.crypto.Cipher.doFinal(Cipher.java:2168) at info.magnolia.cms.security.SecurityUtil.decrypt(SecurityUtil.java:168) at info.magnolia.cms.security.SecurityUtil.decrypt(SecurityUtil.java:131) at info.magnolia.publishing.authentication.DefaultPrivatePublicKeyAuthenticator.authenticate(DefaultPrivatePublicKeyAuthenticator.java:92)
Overview
Content Tools
2 Comments
Obeliksz
So magnolia.author.key.location creates the specified file on the author instance. If possible, how to activate the public instance without entering the adminCentral? Like to copy the public key from the author and put it in a file on the public instance, maybe a magnolia.public.key.location?
Furthermore, how to check from the author if the public instance is actually activated when I have a completely empty author and public instance? What is a harmless operation recommended to check if it yields activation error, or so.
Christoph Meier
Hm ... I would say it like this: The value of the property
magnolia.author.key.locationpoints to file which per default is calledmagnolia-activation-keypair.properties. This file contains the private key.afaik - the private key is created during installation.
Also during installation: The public key is created and stored at the author instance at in JCR in the workspace
configat/server/activation@publicKey.There is no reason to check.
If the public key is not set on the public instance, it gets set on the first activation ... can be an asset, a page, a contact, can also be the node
/server/activation(on the config ws) ... everything which can be published and which makes +/- sense to publish.We are currently writing a new docu page concerning the topic; expect it to be published next week.
I hope this helps a bit, cheers,
Christoph